[OpenIndiana-discuss] ZVOL (et al) /device node access rights
Jim Klimov
jim at cos.ru
Sun Oct 14 13:08:54 UTC 2012
While updating the Wiki page on virtualization, Edward Ned Harvey
wrote of, and brought to my attention, this peculiar situation:
A VirtualBox VM can use delegated zvols as "dsk" or "rdsk" devices
on the host, just like it can use delegated raw disks or partitions,
likely iSCSI volumes and other block devices. According to Edward,
block devices yield better performance than VDI files for VM disks.
A VM can be executed by an unprivileged user, and thus the device
node needs to be RW accessible to that non-root user (whom and why
to trust - that's the admin's problem, OS should not limit that).
So, the problem detected with ZVOLs (and I expect it can have a
wider range on other devices) is that the ownership of the device
node for a zvol is forgotten upon reboot or other pool reimport.
That is, the node used by a VM should be chown'ed upon every VM
startup. That's inconvenient, so to say.
I played more with this and found that I can also set ACLs with
/bin/chmod on device nodes, and that is even remembered across
reboots, however with /dev/zvol/*dsk/pool/vol being a dynamically
assigned symlink like /devices/pseudo/zfs at 0:4(,raw) there is a
problem: the symlink and device node is created when I look at
it (i.e. upon first "ls" or another access to the /dev/zvol/...
object), and the device node occupies the first available number.
The /devices filesystem seems to remember ACL entries (but not
ownerships) across reboots only in conjunction with its object
names, so upon each reboot (reimport) of the pool, the same
device node name can get assigned to different zvols.
This is not only "useless" in terms of stably providing access
to certain devices for certain users, but also harmful as after
a reboot an unexpected user (among those earlier trusted) can
gain access to incorrect devices (and might even enforce that
somehow, by being first to access the device at the correct
moment) and cause DoS or intentional illicit access to other
users' data.
So here is the picture "as is". I am not sure what exactly to ask,
so I guess it's a call for opinions on how the situation can be
improved, in terms of remembering correct ownerships and ACLs for
those devices (not nodes) that the rights were set for, in order
to both increase usability and security of non-root device access.
In the particular case of ZVOL devices, I guess attributes can
be added to the ZVOLs that would hold the POSIX and ACL access
rights and owner:group info (do people agree that is a worthy RFE?).
For non-zfs devices like local disk or iscsi or USB - I am not sure
if the problem exists the same way (not tested) or how it can be
addressed if it exists (some config file for devfs?)
Thanks,
//Jim Klimov
More information about the OpenIndiana-discuss
mailing list